unauthorized access

Subscribe to unauthorized access

On April 25, 2013, a federal jury convicted Executive Recruiter David Nosal on three counts under the Computer Fraud and Abuse Act (“CFAA”), two counts under the Economic Espionage Act (“EEA”), and one count of conspiracy to violate the CFAA and EEA, for Nosal’s conduct leaving his former employer and establishing a competing business in 2004 and 2005.

The conviction followed an FBI investigation and multiple indictments alleging that Nosal conspired with former co-workers to gain unauthorized access to his former employer’s computers system and to illegally obtain its trade secrets – source lists of candidates compiled for search assignments – to use in his competing business.

On August 7, 2013, U.S. District Judge Edward Chen heard argument on Nosal’s motions for acquittal and a new trial and took both motions under submission. On August 15, 2013, the Court issued its ruling, denying both motions in a 39-page order.

This is Part I of a three part post. In this post we will look at the Court’s order on Nosal’s conviction of the CFAA counts. In Part II, we will review the EEA counts. Finally, in Part III, we will try to foresee what the future may hold for Nosal and look at some lessons employers can learn from this case.

A.     Nosal’s Conviction on the CFAA Counts:

Nosal was convicted of three counts under the CFAA for accessing his former employer’s computers and obtaining information on three separate occasions. In relevant part, the CFAA provides criminal penalties for:

[whoever] knowingly and with intent to defraud, accesses a protected computers without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computers and the value of such use is not more than $5,000 in any 1-year period;

18 U.S.C. § 1030(a)(4).

In his motions, Nosal argued broadly that he was entitled to acquittal or a new trial on the CFAA counts because: (1) no person gained unauthorized access to his former employer’s computers within the meaning of the CFAA; (2) the deliberate ignorance jury instruction was confusing; (3) there was insufficient evidence that Nosal had the requisite mental state to commit the CFAA violations; and (4) there was insufficient evidence of a conspiracy.

1.     Unauthorized Access to his former employer’s Computers

In support of the “no unauthorized access” argument, Nosal argued that: (1) under the Ninth Circuit’s en banc decision in this case (United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)), there can be no CFAA violation because any access to his former employer’s computers was gained with the permission of the password holder and there was no circumvention of technological barriers; (2) Nosal’s former co-workers were authorized to access the computers; and (3) Nosal was authorized to receive certain information in the course of his work as an independent contractor for his former employer.

The Court rejected Nosal’s first argument, holding that “[n]owhere does the court’s opinion in Nosal hold that the government is additionally required to allege that a defendant circumvented technological access barriers in bringing charges under § 1030(a)(4)” and also noted that the indictment actually does allege circumvention of a technological barrier because “password protection is one of the most obvious technological access barriers that a business could adopt.”

The Court also dismissed Nosal’s second argument that his former co-workers were authorized to access his former employer’s computer, holding that the evidence established they did not have his former employer’s authorization and “that it is the actions of the employer who maintains the computers system that determine whether or not a person is acting with authorization.” In so doing, the Court distinguished Nosal’s argument that the verdict was criminalizing the allegedly common practice of employees sharing passwords with each other to access their employer’s computers systems by explaining that here, an employee of his former employer impermissibly gave her password, not to a co-worker, but to former employees who were not authorized to access the computers.

The Court also rejected Nosal’s argument that his former co-workers were authorized to access his former employer’s computers on the relevant dates, finding that the evidence sufficiently established that they were not authorized. Finally, the Court rejected Nosal’s argument that he was authorized to receive certain information from his former employer’s computers in his work as an independent contractor, holding he was only authorized to receive limited information relevant to specific work he was doing for his former employer, but that the information he received was for his competing business.

2.     Deliberate Ignorance Jury Instruction

Nosal also argued that an instruction that the jury could find that he had acted “knowingly” to violate the CFAA if he was aware of a high probability that his former executive assistant or former co-workers had gained unauthorized access to the computers or misappropriated trade secrets, and he deliberately avoided learning the truth, was confusing because his former executive assistant was at all relevant times employed by his former employer and was authorized to access the computers while the other former co-workers were not employed by his former employer and were not authorized.

The Court held that Nosal had waived this argument by not raising it earlier. Moreover, the Court held that the instruction was sufficiently clear that the jury could not convict Nosal on the CFAA counts if they concluded his former executive assistant has accessed the computers, because such access would not have been “unauthorized.”

3.     Evidence Nosal had Knowledge of Unauthorized Downloads

Nosal further argued that there was insufficient evidence he had knowledge of downloads from his former employer’s computers were unauthorized because the downloads were not conducted by his former executive assistant. Reciting substantial evidence presented at trial by the government, including evidence that Nosal gave his former co-workers specific directions about information he wanted from his former employer’s computers, that he knew a former co-worker had a large amount of data taken from the computers, that he knew they were not authorized to obtain the information, and that Nosal’s executive assistant did not know how to do so, the Court concluded the government had proved beyond a reasonable doubt that Nosal knew of, was deliberately indifferent to, and/or had conspired to commit the CFAA violations.

4.     Evidence of Conspiracy

Nosal also argued that there was not sufficient evidence of conspiracy. The Court dismissed this argument, concluding that the same evidence that Nosal had knowledge of the downloads from his former employer’s computers was sufficient to support the verdict on the conspiracy count.

In Part II of this post, we will look at Nosal’s conviction on the EEA counts.

Does the Computer Fraud and Abuse Act (“CFAA”) prohibit hacking–improperly gaining entrance into a computer system–or simply prohibit improper use of a computer system? U.S. Courts of Appeal are divided. Now, district and appellate court judges in a single federal case pending in the Northern District of California, U.S. v. Nosal, have produced several divergent opinions regarding congressional intent with respect to the meaning of the CFAA.

The defendant in Nosal allegedly persuaded employees of his former employer to log in to the employer’s computer system and forward confidential information to him. Nosal allegedly planned to use the information to compete with his former employer.

The CFAA provides that an individual who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access” is guilty of a crime. Although the CFAA is a criminal statute, most judicial opinions interpreting it are issued in civil (injunction and damages) litigation. Nosal is one of the unique reported CFAA cases in which the defendant was charged with a crime.

The most recent Ninth Circuit opinion in Nosal was written in 2012 by an en banc majority. Those judges concluded that the CFAA is simply an anti-hacking statute that criminalizes circumventing “technological barriers.” It does not apply to Nosal, the majority held, because he was not the person who entered his former employer’s computer system.

After the Ninth Circuit’s en banc decision was issued, affirming the district court’s dismissal of the indictment’s CFAA counts, a superseding indictment was returned. It alleged substantially the same crimes but added more facts with the purpose, apparently, of getting around the en banc ruling. Nosal again moved to dismiss the CFAA counts, stressing that the statutory words “accesses” and “access” relate to unauthorized logging into the company’s computer, not to the use that is made of the computer after logging in. Since he did not log in, he insisted, he could not be guilty of CFAA crimes.

In a ruling issued in mid-March 2013, Nosal’s motion was denied. The district court judge emphasized that the Ninth Circuit en banc majority’s words cannot be taken literally. According to that judge, “[h]acking was only a shorthand term used [by the en banc majority] as common parlance . . . to describe the general purpose of the CFAA,” and the phrase “circumvention of technological access barriers’ was an aside that does not appear to have been intended as having some precise definitional force.” In short, the district court judge concluded,

“[i]f the CFAA were not to apply where an authorized employee gave or even sold his or her password to another unauthorized individual, the CFAA could be rendered toothless. Surely Congress could not have intended such a result.”

Proposed legislation to expand the scope of the CFAA is currently being circulated among the House Judiciary Comittee. Nevertheless, practitioners and parties in the states and territory which encompass the Ninth Circuit — Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, Washington State, and the Territory of Guam — will likely have to wait at least until the next CFAA lawsuit is decided by the Ninth Circuit before they may reliably predict what conduct will be held to violate the CFAA.

By Robert Milligan and Joshua Salinas

Wrongfully accessing someone’s personal email account may cost you $1,000 per unauthorized access, even if that person suffers no injury or loss. In Pure Power Boot Camp v. Warrior Fitness Boot Camp, 2010 WL 5222128 (S.D.N.Y. 2010), a New York district court permitted the recovery of statutory damages under the Stored Communications Act (SCA) (18 U.S.C. § 2707(a)) without proof of actual damages sustained.

Lauren Brenner allegedly hired former U.S. Marines Ruben Belliard and Alex Fell to work as “drill instructors” at her Pure Power Boot Camp physical fitness center. While still employed at Pure Power, Belliard and Fell allegedly made plans to open a competing boot camp style physical fitness center. Belliard and Fell left Pure Power, and shortly thereafter opened Warrior Fitness Boot Camp.

Fell alleged that after he left, Benner, or someone from Pure Power, accessed his personal e-mail account and printed e-mails from his personal Gmail, Hotmail, and Warrior Fitness accounts. Fell had left his username and password information saved on Pure Power computers, which allowed access to his email accounts. The emails revealed that Belliard and Fell allegedly copied Pure Power documents, stole Pure Power customers, and shredded their non-compete agreement.

Benner allegedly read these emails and Pure Power Boot Camp brought claims against Belliard and Fell, which included claims for breach of their non-compete agreements and theft of Pure Power’s business model, customers, and documents.

Fell counterclaimed against several parties, including Brenner and Pure Power, alleging that the unauthorized access of Fell’s account violated the SCA and entitled him to statutory and punitive damages, as well as attorneys’ fees.

A significant issue in this case was whether Fell could recover statutory damages under the SCA, even though he failed to allege or prove actual damages. In fact, Fell confirmed in his deposition that he sought only statutory and punitive damages.

On summary judgment, the court held that proof of actual damages is not required to recover under the SCA. The interesting aspect of this case was the court’s departure from the holding in Van Alstyne v. Elec. Scriptorium, Ltd.,560 F.3d 199 (4th Cir. 2009), the only federal appellate decision to analyze this issue. Van Alstyne required proof of actual damages in order to recover the $1,000 statutory damages under SCA. Van Alstyne based its decision on Doe v. Chao, 540 U.S. 614 (2004), where the Supreme Court required proof of actual damages for recovery under the Privacy Act. However, the Pure Power court criticized Van Alstyne’s analysis because the SCA and Privacy Act have different purposes, language construction, and legislative histories.

Indeed, according to the court, an overwhelming majority of jurisdictions decided after Doe permit recovery of statutory damages under the SCA absent actual damages. This has been applied to unauthorized access of employee’s email accounts (Cedar Hill Assocs., Inc. v. Paget, No. 04cv0557, 2005 WL 3430562 (N.D. Ill. 2005)), restricted websites (In re Hawaiian Airlines, Inc., 355 B.R. 225 (D.Haw. 2006)), and social media accounts (Pietrylo v. Hillstone Restaurant Group, No. 06-5754, 2009 WL 3128420 (D.N.J. 2009)).

The court, however, rejected Fell’s argument that each e-mail that was accessed constituted a separate $1000 violation under the SCA. The court found that, because the period over which the emails were accessed was relatively short (a nine day period), and because there was no evidence indicating the specific number of times each account was accessed, it was appropriate to aggregate the intrusions with respect to each individual e-mail account and find that there had been four independent violations of the SCA  –one violation for each unauthorized access of an electronic communications facility, which allowed access to electronic communications while still in electronic storage.  The court also rejected Fell’s request for punitive damages at this stage in the proceedings because the court was unable to determine as a matter of law which party accessed the email accounts, and the surrounding circumstances, and therefore, there was no basis upon which to decide whether punitive damages were appropriate. The court also rejected Fell’s request for attorneys’ fees as premature because the court was presently unable to determine which of the parties named in the counterclaim was liable for the four violations of the SCA.

The Pure Power court’s affirmation of some employee privacy rights and the removal of the actual damages hurdle to a SCA claim have several implications for employers and management. First, increased attention must be given when dealing with employee personal e-mail and social network accounts. The decision does not impair the ability to monitor employee web activity or work provided email accounts, provided that the employer has clear policies articulating that employees have no expectation of privacy. However, extra care must be given to employee personal accounts, particularly when the employee saves login information on the computer and the login information is used to access the employee’s personal accounts. Employers should not engage in such conduct. 

In Pure Power, the access of Fell’s email accounts created a cause of action to recover statutory damages for Fell, where the employer may have a solid non-compete/unfair competition suit against the employee. Perhaps more detrimental to employer Pure Power Boot Camp, the court also excluded the highly relevant emails demonstrating alleged employee disloyalty from evidence. Finally, the ability to recover statutory damages without proof of actual damages, as well as punitive damages and attorney fees, may provide an incentive for employees and their counsel to pursue SCA claims against current and former employers.